eap : Identity does not match User-Name, setting from EAP Identity
Milan Keršláger
milan.kerslager at pslib.cz
Thu Feb 12 18:33:34 CET 2015
Hello there,
I set up CentOS 7 server with package freeradius-3.0.1-6.el7.x86_64 as
an upgrade for working setup on ancient computer with CentOS 4
(freeradius-1.1.3). I'm using eduroam-like authentication with SQL
backend (Cisco WLC, 802.1X with PEAP and MSCHAPv2). There is no
forwarding realms etc, just only one radius server running with minimal
changes in the default configuration files.
User from file is defined by:
testuser Cleartext-Password := "pass"
...and works ok:
radtest testuser pass 127.0.0.1:1812 0 testing123
User in SQL works only when SQL database has loginname without realm.
radtest -t mschap user at domain.com pass 127.0.0.1:1812 0 testing123
(no groups defined, just one line in radcheck table like file above has)
But when the request is coming from my Cisco WLC, the raduis daemon is
loosing username during handshake. I saw some posts about bugs in this
older freeradius and I tried to ask at
https://bugzilla.redhat.com/show_bug.cgi?id=1120234 with a half of luck
- updated freeradius will be included in the coming RHEL 7.1 update, but
package is not yet available (and the day of 7.1 release is unknown).
My question is if there is a workaround for this. Log is attached below.
Thank you a lot. Milan
My changes to default configuration:
======================
--- /etc/raddb/mods-available/sql.orig 2014-06-10 03:00:57.000000000
+0200
+++ /etc/raddb/mods-available/sql 2015-02-11 21:31:23.560744418 +0100
@@ -55,21 +55,21 @@
# * rlm_sql_sqlite
# * rlm_sql_null (log queries to disk)
#
- driver = "rlm_sql_null"
+ driver = "rlm_sql_postgresql"
# The dialect of SQL you want to use, this should usually match
# the driver you selected above.
#
# If you're using rlm_sql_null, then it should be the type of
# database the logged queries are going to be executed against.
- dialect = "mysql"
+ dialect = "postgresql"
# Connection info:
#
-# server = "localhost"
+ server = ""
# port = 3306
-# login = "radius"
-# password = "radpass"
+ login = "radius"
+ password = "secretpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
--- /etc/raddb/mods-available/eap.orig 2014-06-10 03:00:57.000000000
+0200
+++ /etc/raddb/mods-available/eap 2015-02-12 12:19:16.857216797 +0100
@@ -173,8 +173,8 @@
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
tls-config tls-common {
- private_key_password = whatever
- private_key_file = ${certdir}/server.pem
+ #private_key_password = whatever
+ private_key_file = ${certdir}/www.pslib.cz-private-2014-12-13.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
@@ -186,7 +186,7 @@
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
- certificate_file = ${certdir}/server.pem
+ certificate_file =
${certdir}/www.pslib.cz-1418430573-2014-12-13.pem
# Trusted Root CA list
#
@@ -203,7 +203,7 @@
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- ca_file = ${cadir}/ca.pem
+ ca_file = ${cadir}/tcs-ca-bundle-2014-12-13.pem
#
# If OpenSSL supports TLS-PSK, then we can use
--- /etc/raddb/mods-config/files/authorize.orig 2014-06-10
03:01:08.000000000 +0200
+++ /etc/raddb/mods-config/files/authorize 2015-02-11
22:05:36.245744594 +0100
@@ -1,3 +1,5 @@
+testuser Cleartext-Password := "pass"
+
#
# Configuration file for the rlm_files module.
# Please see rlm_files(5) manpage for more information.
--- /etc/raddb/sites-available/default.orig 2014-06-10
03:00:56.000000000 +0200
+++ /etc/raddb/sites-available/default 2015-02-12 12:15:13.644588916
+0100
@@ -345,7 +345,7 @@
#
# The ldap module reads passwords from the LDAP database.
- -ldap
+# -ldap
#
# Enforce daily limits on time spent logged in.
--- /etc/raddb/sites-available/inner-tunnel.orig 2014-06-10
03:00:56.000000000 +0200
+++ /etc/raddb/sites-available/inner-tunnel 2015-02-12
18:28:43.809046956 +0100
@@ -139,7 +146,7 @@
#
# The ldap module reads passwords from the LDAP database.
- -ldap
+# -ldap
#
# Enforce daily limits on time spent logged in.
--- /etc/raddb/clients.conf.orig 2014-06-10 03:00:57.000000000 +0200
+++ /etc/raddb/clients.conf 2015-02-12 10:34:54.436828421 +0100
@@ -278,3 +278,17 @@
# secret = testing123
# }
#}
+
+client podsit_ap {
+ secret = testing123
+ shortname = SkolniWiFi
+ ipaddr = 10.199.0.0
+ netmask = 24
+}
--- /etc/raddb/proxy.conf.orig 2014-06-10 03:00:57.000000000 +0200
+++ /etc/raddb/proxy.conf 2015-02-12 12:18:21.168988853 +0100
@@ -629,7 +629,7 @@
#DEFAULT Proxy-To-Realm := "realm_name"
#
#
-realm example.com {
+realm domain.com {
#
# Realms point to pools of home servers.
#
@@ -714,11 +714,11 @@
# This realm is for requests which don't have an explicit realm
# prefix or suffix. User names like "bob" will match this one.
#
-#realm NULL {
+realm NULL {
# authhost = radius.company.com:1600
# accthost = radius.company.com:1601
# secret = testing123
-#}
+}
#
# This realm is for ALL OTHER requests.
Output of radiusd -X
===============
radiusd: FreeRADIUS Version 3.0.1, for host x86_64-redhat-linux-gnu,
built on Jun 10 2014 at 01:00:46
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/sql
including configuration file
/etc/raddb/mods-config/sql/main/postgresql/queries.conf
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 76800
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm domain.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client podsit_ap {
ipaddr = 10.199.0.0
netmask = 24
require_message_authenticator = no
secret = "WiFiKlinetiSPSSE"
shortname = "SkolniWiFi"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client notebook {
ipaddr = 10.0.0.0
netmask = 8
require_message_authenticator = no
secret = "TestTovaci"
shortname = "SkolniWiFi"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
radiusd: #### Instantiating modules ####
instantiate {
}
modules {
# Loaded module rlm_always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Instantiating module "notfound" from file
/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Loaded module rlm_cache
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 16384
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_detail
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
dir_permissions = 493
locking = no
log_packet_header = no
}
# Loaded module rlm_dhcp
# Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
# Loaded module rlm_digest
# Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Instantiating module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
mod_accounting_username_bug = no
max_sessions = 4096
}
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file =
"/etc/raddb/certs/www.domain.com-private-2014-12-13.pem"
certificate_file =
"/etc/raddb/certs/www.domain.com-1418430573-2014-12-13.pem"
ca_file = "/etc/raddb/certs/tcs-ca-bundle-2014-12-13.pem"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = yes
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Loaded module rlm_exec
# Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
# Loaded module rlm_files
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
usersfile = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
compat = "no"
}
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Loaded module rlm_linelog
# Instantiating module "linelog" from file
/etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{Packet-Type}:-format}"
}
# Loaded module rlm_logintime
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Instantiating module "ntlm_auth" from file
/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
pap {
auto_header = no
normalise = yes
}
# Loaded module rlm_passwd
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Loaded module rlm_preprocess
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Loaded module rlm_radutmp
# Instantiating module "radutmp" from file
/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Instantiating module "replicate" from file
/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Instantiating module "sradutmp" from file
/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
# Loaded module rlm_utf8
# Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_sql
# Instantiating module "sql" from file /etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_postgresql"
server = ""
port = ""
login = "radius"
password = "secretpass"
radius_db = "radius"
read_groups = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret,
server FROM nas"
authorize_check_query = "SELECT id, UserName, Attribute, Value,
Op FROM radcheck WHERE Username = '%{SQL-User-Name}'
ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value,
Op FROM radreply WHERE Username = '%{SQL-User-Name}'
ORDER BY id"
authorize_group_check_query = "SELECT id, GroupName, Attribute,
Value, op FROM radgroupcheck WHERE GroupName =
'%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, GroupName, Attribute,
Value, op FROM radgroupreply WHERE GroupName =
'%{Sql-Group}' ORDER BY id"
group_membership_query = "SELECT GroupName FROM radusergroup
WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
simul_count_query = ""
simul_verify_query = ""
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
}
post-auth {
reference = ".query"
}
rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql)
loaded and linked
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 4
max = 10
spare = 3
uses = 0
lifetime = 0
cleanup_delay = 5
idle_timeout = 60
spread = no
}
rlm_sql (sql): Opening additional connection (0)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13733
rlm_sql (sql): Opening additional connection (1)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13734
rlm_sql (sql): Opening additional connection (2)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13735
rlm_sql (sql): Opening additional connection (3)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13736
rlm_sql (sql): Opening additional connection (4)
rlm_sql_postgresql: Connecting using parameters: dbname='radius'
user='radius' password='secretpass'
Connected to database 'radius' on '(null)' server version 90207,
protocol version 3, backend PID 13737
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
# Creating Auth-Type = digest
# Loading authenticate {...}
# Loading authorize {...}
# Loading virtual module filter_username
# Loading preacct {...}
# Loading virtual module acct_unique
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Loading virtual module remove_reply_message_if_eap
# Loading virtual module remove_reply_message_if_eap
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Opening new proxy address * port 1814
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.199.0.11 port 32768, id=77,
length=272
User-Name = 'testuser at domain.com'
Calling-Station-Id = 'e0-63-e5-08-8e-ba'
Called-Station-Id = '00-19-a9-cd-01-80:RADIUS'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=0ac7000b0001bea554dcca79'
NAS-IP-Address = 10.199.0.11
NAS-Identifier = 'wlc.domain.com'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '5'
EAP-Message =
0x0201002301766f6a746563682e6b727973746f662e726f6a656b4070736c69622e637a
Message-Authenticator = 0x81e3207284393aa152b52eadb937667d
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) ? if (User-Name != "%{tolower:%{User-Name}}")
(0) expand: "%{tolower:%{User-Name}}" -> 'testuser at domain.com'
(0) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) ? if (User-Name =~ / /)
(0) ? if (User-Name =~ / /) -> FALSE
(0) ? if (User-Name =~ /@.*@/ )
(0) ? if (User-Name =~ /@.*@/ ) -> FALSE
(0) ? if (User-Name =~ /\\.\\./ )
(0) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) ? if (User-Name =~ /\\.$/)
(0) ? if (User-Name =~ /\\.$/) -> FALSE
(0) ? if (User-Name =~ /@\\./)
(0) ? if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Looking up realm "domain.com" for User-Name =
"testuser at domain.com"
(0) suffix : Found realm "domain.com"
(0) suffix : Adding Stripped-User-Name = "testuser"
(0) suffix : Adding Realm = "domain.com"
(0) suffix : Proxying request from user testuser to realm domain.com
(0) suffix : Preparing to proxy authentication request to realm
"domain.com"
(0) [suffix] = updated
(0) eap : Request is supposed to be proxied to Realm domain.com. Not
doing EAP.
(0) [eap] = noop
(0) [files] = noop
(0) sql : expand: "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
-> 'testuser'
(0) sql : SQL-User-Name set to 'testuser'
rlm_sql (sql): Reserved connection (4)
(0) sql : expand: "SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id" ->
'SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE
Username = 'testuser' ORDER BY id'
rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute, Value,
Op FROM radcheck WHERE Username = 'testuser' ORDER BY id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
(0) sql : User found in radcheck table
(0) sql : Check items matched
(0) sql : expand: "SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id" ->
'SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE
Username = 'testuser' ORDER BY id'
rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute, Value,
Op FROM radreply WHERE Username = 'testuser' ORDER BY id'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
(0) sql : expand: "SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority" -> 'SELECT GroupName FROM
radusergroup WHERE UserName='testuser' ORDER BY priority'
rlm_sql (sql): Executing query: 'SELECT GroupName FROM radusergroup
WHERE UserName='testuser' ORDER BY priority'
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released connection (4)
rlm_sql (sql): Closing connection (0): Too many free connections (5 > 3)
rlm_sql_postgresql: Socket destructor called, closing socket
(0) [-sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) WARNING: Empty pre-proxy section. Using default return values.
(0) Proxying request to home server 127.0.0.1 port 1812
Sending Access-Request of id 42 from 0.0.0.0 port 1814 to 127.0.0.1 port
1812
User-Name = 'testuser'
Calling-Station-Id = 'e0-63-e5-08-8e-ba'
Called-Station-Id = '00-19-a9-cd-01-80:RADIUS'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=0ac7000b0001bea554dcca79'
NAS-IP-Address = 10.199.0.11
NAS-Identifier = 'wlc.domain.com'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '5'
EAP-Message =
0x0201002301766f6a746563682e6b727973746f662e726f6a656b4070736c69622e637a
Message-Authenticator = 0x81e3207284393aa152b52eadb937667d
Proxy-State = 0x3737
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=42,
length=267
User-Name = 'testuser'
Calling-Station-Id = 'e0-63-e5-08-8e-ba'
Called-Station-Id = '00-19-a9-cd-01-80:RADIUS'
NAS-Port = 1
Cisco-AVPair = 'audit-session-id=0ac7000b0001bea554dcca79'
NAS-IP-Address = 10.199.0.11
NAS-Identifier = 'wlc.domain.com'
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = '5'
EAP-Message =
0x0201002301766f6a746563682e6b727973746f662e726f6a656b4070736c69622e637a
Message-Authenticator = 0xd9851db90200815680297d2f3fbce603
Proxy-State = 0x3737
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) ? if (User-Name != "%{tolower:%{User-Name}}")
(1) expand: "%{tolower:%{User-Name}}" -> 'testuser'
(1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) ? if (User-Name =~ / /)
(1) ? if (User-Name =~ / /) -> FALSE
(1) ? if (User-Name =~ /@.*@/ )
(1) ? if (User-Name =~ /@.*@/ ) -> FALSE
(1) ? if (User-Name =~ /\\.\\./ )
(1) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(1) ? if (User-Name =~ /\\.$/)
(1) ? if (User-Name =~ /\\.$/) -> FALSE
(1) ? if (User-Name =~ /@\\./)
(1) ? if (User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "testuser", looking up realm NULL
(1) suffix : Found realm "NULL"
(1) suffix : Adding Stripped-User-Name = "testuser"
(1) suffix : Adding Realm = "NULL"
(1) suffix : Authentication realm is LOCAL.
(1) [suffix] = ok
(1) eap : EAP packet type response id 1 length 35
(1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Identity does not match User-Name, setting from EAP Identity.
(1) eap : Failed in handler
(1) [eap] = invalid
(1) } # authenticate = invalid
(1) Failed to authenticate the user.
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) sql : expand: ".query" -> '.query'
(1) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(1) sql : expand: "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
-> 'testuser'
(1) sql : SQL-User-Name set to 'testuser'
(1) sql : expand: "INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW())" -> 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES('testuser', 'Chap-Password',
'Access-Reject', NOW())'
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES('testuser', 'Chap-Password',
'Access-Reject', NOW())'
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released connection (4)
(1) [-sql] = ok
(1) attr_filter.access_reject : expand: "%{User-Name}" -> 'testuser'
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) eap : Identity does not match User-Name, setting from EAP Identity.
(1) eap : Failed to get handler, probably already removed, not inserting
EAP-Failure
(1) [eap] = noop
(1) remove_reply_message_if_eap remove_reply_message_if_eap {
(1) ? if (reply:EAP-Message && reply:Reply-Message)
(1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(1) else else {
(1) [noop] = noop
(1) } # else else = noop
(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Finished request 1.
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Expecting proxy response no later than 20 seconds from now
Waking up in 0.1 seconds.
(1) Sending delayed reject
Sending Access-Reject of id 42 from 127.0.0.1 port 1812 to 127.0.0.1
port 1814
Proxy-State = 0x3737
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=42,
length=24
Proxy-State = 0x3737
(0) # Executing section post-proxy from file
/etc/raddb/sites-enabled/default
(0) post-proxy {
(0) eap : No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql : expand: ".query" -> '.query'
(0) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(0) sql : expand: "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"
-> 'testuser'
(0) sql : SQL-User-Name set to 'testuser'
(0) sql : expand: "INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW())" -> 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES('testuser at domain.com', 'Chap-Password',
'Access-Reject', NOW())'
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES('testuser at domain.com', 'Chap-Password',
'Access-Reject', NOW())'
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released connection (4)
rlm_sql (sql): Closing connection (1): Too many free connections (4 > 3)
rlm_sql_postgresql: Socket destructor called, closing socket
(0) [-sql] = ok
(0) attr_filter.access_reject : expand: "%{User-Name}" ->
'testuser at domain.com'
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request was previously rejected, inserting EAP-Failure
(0) [eap] = updated
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) ? if (reply:EAP-Message && reply:Reply-Message)
(0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Finished request 0.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 10.199.0.11 port 32768, id=77,
length=272
(0) Discarding duplicate request from client SkolniWiFi port 32768 - ID:
77 due to delayed reject
(0) Sending delayed reject
Sending Access-Reject of id 77 from 10.200.0.3 port 1812 to 10.199.0.11
port 32768
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 42 with timestamp +5
Waking up in 1.0 seconds.
(0) Cleaning up request packet ID 77 with timestamp +5
Ready to process requests.
--
Milan Keršláger
http://www.pslib.cz/ke/
http://www.nti.tul.cz/wiki/Milan.Kerslager
More information about the Freeradius-Users
mailing list